Annotation of wikisrc/tutorials/how_to_encrypt_iscsi_devices.mdwn, revision 1.1

1.1     ! jdf         1: **Contents**
        !             2: 
        !             3: [[!toc levels=3]]
        !             4: 
        !             5: # Encrypted iSCSI Devices on NetBSD
        !             6: 
        !             7: ## Introduction
        !             8: 
        !             9: This document shows how to set up and run an encrypted iSCSI device on NetBSD.
        !            10: Encryption of devices can be used for maintaining privacy on devices located
        !            11: remotely, possibly on co-located hardware, for instance, or on machines which
        !            12: could be stolen, or to which others could gain access.
        !            13: 
        !            14: To encrypt the iSCSI device, we use the NetBSD iSCSI initiator, available in
        !            15: NetBSD-current, and the standard cgd device.  In all, setting up an encrypted
        !            16: device in this manner should take less than 15 minutes, even for someone
        !            17: unfamiliar with iSCSI or cgd.
        !            18: 
        !            19: The approach is to layer a vnd on top of the "storage" file presented by the
        !            20: iSCSI target. This is exactly the same as normal. On top of that vnd, we layer a
        !            21: cgd device, which ensures that all data is encrypted on the iSCSI device.
        !            22: 
        !            23: ### Device Initialisation
        !            24: 
        !            25: This first section shows how to initialise the device, a one-time operation.
        !            26: 
        !            27: Firstly, the initiator is started, pointing at the machine which is presenting
        !            28: the iSCSI storage (i.e. the machine on which the iSCSI target is running). In
        !            29: this example, the target is running on the same machine as the initiator (a
        !            30: laptop called, in a moment of inspiration, inspiron1300). A 50 MB iSCSI target
        !            31: is being presented as target1.
        !            32: 
        !            33:     # obj/iscsifs -u agc -h inspiron1300.wherever.co.uk /mnt &
        !            34:     [1] 11196
        !            35:     # df
        !            36:     Filesystem   1K-blocks       Used      Avail %Cap Mounted on
        !            37:     /dev/dk0      28101396   20862004    5834324  78% /
        !            38:     kernfs               1          1          0 100% /kern
        !            39:     procfs               4          4          0 100% /proc
        !            40:     ptyfs                1          1          0 100% /dev/pts
        !            41:     /dev/puffs           0          0          0 100% /mnt
        !            42: 
        !            43: Looking at the last line, we can see that the initiator is running via the puffs 
        !            44: device.
        !            45: 
        !            46: We now add a vnd device on top of the storage which the target is presenting:
        !            47: 
        !            48:     # vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
        !            49: 
        !            50: We now add a disklabel, which is offset 63 blocks into the iSCSI device. This
        !            51: is so that the encrypted device which we shall put on top of the vnd does not
        !            52: clash with the vnd's label. You should set the cgd's type to "cgd".
        !            53: 
        !            54:     # disklabel -e vnd0
        !            55:     
        !            56:     # /dev/rvnd0d:
        !            57:     type: vnd
        !            58:     disk: vnd
        !            59:     label: fictitious
        !            60:     flags:
        !            61:     bytes/sector: 512
        !            62:     sectors/track: 32
        !            63:     tracks/cylinder: 64
        !            64:     sectors/cylinder: 2048
        !            65:     cylinders: 50
        !            66:     total sectors: 102400
        !            67:     rpm: 3600
        !            68:     interleave: 1
        !            69:     trackskew: 0
        !            70:     cylinderskew: 0
        !            71:     headswitch: 0           # microseconds
        !            72:     track-to-track seek: 0  # microseconds
        !            73:     drivedata: 0
        !            74:     
        !            75:     4 partitions:
        !            76:     #        size    offset     fstype [fsize bsize cpg/sgs]
        !            77:      a:    102336        63        cgd   2048 16384 28360  # (Cyl.      0 -     49)
        !            78:      d:    102400         0     unused      0     0        # (Cyl.      0 -     49)
        !            79: 
        !            80: We now set up the cgd device, pointing it at the vnd device.
        !            81: 
        !            82:     # priv cgdconfig -s cgd0 /dev/vnd0a aes-cbc 128 < /dev/urandom
        !            83: 
        !            84: and then zero the cgd device's storage.
        !            85: 
        !            86:     # dd if=/dev/zero of=/dev/rcgd0d bs=32k
        !            87:     dd: /dev/rcgd0d: Invalid argument
        !            88:     1601+0 records in
        !            89:     1600+0 records out
        !            90:     52428800 bytes transferred in 16.633 secs (3152095 bytes/sec)
        !            91: 
        !            92: We now unconfigure the cgd device.
        !            93: 
        !            94:     # cgdconfig -u cgd0
        !            95: 
        !            96: and then write using the disklabel verification method onto the cgd. Sometimes,
        !            97: this process does not always complete properly, and so it has to be repeated.
        !            98: 
        !            99:     # cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
        !           100:     cgdconfig: could not calibrate pkcs5_pbkdf2
        !           101:     cgdconfig: Failed to generate defaults for keygen
        !           102:     # cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
        !           103: 
        !           104: Now we have to add the password to the cgd device
        !           105: 
        !           106:     # cgdconfig -V re-enter cgd0 /dev/vnd0a
        !           107:     /dev/vnd0a's passphrase:
        !           108:     re-enter device's passphrase:
        !           109: 
        !           110: and disklabel inside the cgd itself:
        !           111: 
        !           112:     # disklabel -I -e cgd0
        !           113:     
        !           114:     # /dev/rcgd0d:
        !           115:     type: cgd
        !           116:     disk: cgd
        !           117:     label: fictitious
        !           118:     flags:
        !           119:     bytes/sector: 512
        !           120:     sectors/track: 2048
        !           121:     tracks/cylinder: 1
        !           122:     sectors/cylinder: 2048
        !           123:     cylinders: 49
        !           124:     total sectors: 102336
        !           125:     rpm: 3600
        !           126:     interleave: 1
        !           127:     trackskew: 0
        !           128:     cylinderskew: 0
        !           129:     headswitch: 0           # microseconds
        !           130:     track-to-track seek: 0  # microseconds
        !           131:     drivedata: 0
        !           132:     
        !           133:     4 partitions:
        !           134:     #        size    offset     fstype [fsize bsize cpg/sgs]
        !           135:      a:    102336         0     4.2BSD   2048 16384 28360  # (Cyl.      0 -     49*)
        !           136:      d:    102336         0     unused      0     0        # (Cyl.      0 -     49*)
        !           137: 
        !           138: Having placed a disklabel inside the cgd, we can now make a filesystem on there:
        !           139: 
        !           140:     # newfs /dev/rcgd0a
        !           141:     /dev/rcgd0a: 50.0MB (102336 sectors) block size 8192, fragment size 1024
        !           142:     using 4 cylinder groups of 12.49MB, 1599 blks, 3136 inodes.
        !           143:     super-block backups (for fsck_ffs -b #) at:
        !           144:     32, 25616, 51200, 76784,
        !           145: 
        !           146: We can then mount the new file system in the cgd on the /iscsi mount point:
        !           147: 
        !           148:     # df
        !           149:     Filesystem   1K-blocks       Used      Avail %Cap Mounted on
        !           150:     /dev/dk0      28101396   20910216    5786112  78% /
        !           151:     kernfs               1          1          0 100% /kern
        !           152:     procfs               4          4          0 100% /proc
        !           153:     ptyfs                1          1          0 100% /dev/pts
        !           154:     /dev/puffs           0          0          0 100% /mnt
        !           155:     # mount /dev/cgd0a /iscsi
        !           156:     # df
        !           157:     Filesystem   1K-blocks       Used      Avail %Cap Mounted on
        !           158:     /dev/dk0      28101396   20910216    5786112  78% /
        !           159:     kernfs               1          1          0 100% /kern
        !           160:     procfs               4          4          0 100% /proc
        !           161:     ptyfs                1          1          0 100% /dev/pts
        !           162:     /dev/puffs           0          0          0 100% /mnt
        !           163:     /dev/cgd0a       49519          1      47043   0% /iscsi
        !           164: 
        !           165: The new file system, mounted on /iscsi, can now be used as normal.
        !           166: 
        !           167: ### Unmounting the Encrypted Device
        !           168: 
        !           169: The device can be freed up using the following commands:
        !           170: 
        !           171:     # umount /iscsi
        !           172:     # cgdconfig -u cgd0
        !           173:     # vnconfig -u vnd0
        !           174: 
        !           175: ### Normal Usage
        !           176: 
        !           177: In normal usage, the device can be mounted. Firstly, the initiator must be
        !           178: configured to connect to the device:
        !           179: 
        !           180:     # vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
        !           181:     # cgdconfig cgd0 /dev/vnd0a
        !           182:     /dev/vnd0a's passphrase:
        !           183: 
        !           184: I'm using dk devices on this machine, so I now have to access the cgd device
        !           185: using the dk that was assigned in the cgdconfig step.  If I wasn't using dk
        !           186: devices, then I'd use the cgd device.
        !           187: 
        !           188: So either do
        !           189: 
        !           190:     # mount /dev/cgd0a /iscsi OR
        !           191: 
        !           192: or
        !           193: 
        !           194:     # mount /dev/dk3 /iscsi
        !           195: 
        !           196: Then,
        !           197: 
        !           198:     # ls -al /iscsi
        !           199:     total 3
        !           200:     drwxr-xr-x   2 root  wheel   512 Jan  1  1970 .
        !           201:     drwxr-xr-x  35 root  wheel  1536 Jan  5 08:59 ..
        !           202:     # df
        !           203:     Filesystem   1K-blocks       Used      Avail %Cap Mounted on
        !           204:     /dev/dk0      28101396   20910100    5786228  78% /
        !           205:     kernfs               1          1          0 100% /kern
        !           206:     procfs               4          4          0 100% /proc
        !           207:     ptyfs                1          1          0 100% /dev/pts
        !           208:     /dev/puffs           0          0          0 100% /mnt
        !           209:     /dev/dk3         49519          1      47043   0% /iscsi
        !           210: 
        !           211: ### Conclusion
        !           212: 
        !           213: An iSCSI disk can be in a location over which complete control cannot be
        !           214: assured. In order to ensure privacy, the cgd device can be used to encrypt the
        !           215: data on the iSCSI device.
        !           216: 
        !           217: This document has shown how to set up a cgd device on top of the iSCSI device,
        !           218: and how to mount and unmount on a regular basis.
        !           219: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb